Securing the Global Digital Infrastructure (GDI) Together

Today, the European Commission and the EU’s External Action Service (EEAS) presented its response to the growing threats presented in cyberspace by releasing a policy document (the “Communication”), outlining the longer term required actions together with proposed legislation (the “Directive”). These actions demonstrate the European Union’s commitment and resolve to address these threats. Together with the recent creation of the European Cybercrime Centre (EC3) in The Hague, today’s proposals further paves the way for a strong coordinated response against these 21st century threats. Intel and McAfee welcome the EU’s resolve addressing ongoing and emerging challenges in cyberspace and the recognition that this requires global public and private cooperation.

Digital threats are very real and ever growing. McAfee labs routinely collect an immense amount of data on cyber threats, and publish statistics that highlight the threat to all citizens from nefarious actors.[1]. For 2013 it is anticipated for the volume, and complexity of threat to grow, according to McAfee’s Chief Technology Officer for EMEA, Raj Samani. At the heart of the fight against malicious actors is technological innovation. McAfee’s Global Threat Intelligence (GTI) provides a comprehensive, real-time intelligence service that enables McAfee products to protect customers across all vectors. “Whatever the regulatory response, we should ensure that such technological innovation continues to be at the forefront of efforts to out-innovate the malicious actors”, according to Mr Samani.

The EU’s proposals highlight the responsibility of private actors in the overall securing of our Global Digital Infrastructure. We agree that private organizations bear responsibility in ensuring that the products and services they bring to the market have been designed with security in mind and industry standards of care have been met. Like many responsible companies, we have a strong Security Development Lifecycle in place to ensure our products are being evaluated against possible threats. We should however avoid specific regulatory mandates for specific solutions or processes that would slow innovative technological solutions and hamper industry and government’s ability to respond to the dynamic threat environment. According to David Hoffman, Intel’s Director of Security Policy and Global Privacy officer, global standards should remain to be the guiding light for an effective global policy environment. “When looking at issues of product assurance, secure development and evaluation, these should be addressed through existing methods such as the global evaluation methodology like the Common Criteria and the Common Criteria Recognition Arrangement or industry-led codes” said Mr Hoffman.

One part of the proposal that will draw significant attention is the introduction of a security breach notification system to further incentivize both public and private organizations. “Such systems can play a role in increasing awareness and responsibility”, says Mr Hoffman, “but they need to be well thought through to avoid unintended consequences such as over-notifications”. Forced notifications of vulnerabilities should be avoided. “The system as proposed will need to be further fine-tuned to ensure it will be a workable system”, says Mr Samani.

Intel and McAfee strongly welcome the focus of the proposals to not only increase public private cooperation but also to further strengthen the baseline requirements amongst public authorities. Promoting harmonized baseline capabilities across all Computer Emergency Response Teams (CERTs) in the EU is a crucial goal. The proposals should seek to build and furhter strong coordination, including the sharing of threat information, via a strong joint public and private cooperation.

Finally, we strongly welcome the highlighting of the role of awareness raising campaigns. Educating and informing people of the threats, ways to protect their systems and their responsibilities contribute to the overall security of the GDI and should be a cornerstone of any effective cybersecurity strategy. We look forward to further build on existing awareness raising activities such as cybersecurity awareness day and McAfee’s ongoing initiatives.

Intel and McAfee are committed to continue to lead the discussion on how to address the ever changing threat landscape. We are looking forward to working with all stakeholders during the legislative process to ensure a strong outcome.

David Hoffman is Intel’s Director of Security Policy and Global Privacy Officer

Raj Samani is McAfee’s EMEA Chief Technology Officer

Christoph Luykx is Intel’s European policy lead on Privacy and Security

[1] See McAfee’s Quarterly threat reports in 2012 and the 2013 threat predictions.